Edge PAAS Endpoints

Finding the IP address of your visitors

When you create an account on section.io we give you lots of powerful tools to improve your website’s performance and security. There are great charts showing how many requests are being served and what is being done to them. You can dig into the logs and see how each request flows through section.io and what happens to it.

However, it is important to remember that at our core, we are providing a reverse-proxy service, that is, we handle HTTP requests on behalf of your website. This also means that any request that doesn’t get cached, redirected or blocked will eventually be passed back to your website. AKA The Origin.

Who is connecting to my site?

Often you want to know the IP address of who is viewing your site. Possibly to know where they are in the world using Geo-IP or to do fraud detection. Once you change your website’s DNS to point at section.io every request for your website will pass through our servers before going to your site. This means that from your website’s perspective all requests will be coming from us. This means that the usual way of finding the IP address of the visitors to your site won’t work. Usually you would get the requesting IP address. In PHP this would be $_SERVER['REMOTE_ADDR'] or in ruby it’s request.env['REMOTE_ADDR']. in .NET it’s HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"]. All of these values are the IP address of the computer that is connecting to your site. Once you put section.io in front of your site, that IP address will be one of our servers, which is not very helpful in this case.

So what to do?

x-forwarded-for to the rescue! When a HTTP request comes from section.io to your website it will have an additional request header: x-forwarded-for. The value of this request header will be the IP address of the computer that connected to section.io. This is the address that would have been in $_SERVER['REMOTE_ADDR'] previously.

This means that if you’re writing code on your site to check the IP address of your visitors, always check the x-forwarded-for header before looking at the remote address value. If you’ve got a Magento site that has a plugin doing geo-ip features, make sure it uses the x-forwarded-for value. And if your payment gateway does fraud detection based on an IP address, check that the gateway will use the x-forwarded-for header .

The x-forwarded-for header is a useful tool to allow you to still have visibility of who is viewing your site while still getting all the benefits of a powerful reverse-proxy service like section.io.